Transcription

2 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced Threats Scott E. Donaldson is a Senior Vice President for Leidos, Inc., a Fortune 500 company that provides scientific, engineering, systems integration, and technical services. He is the Chief Technology Officer (CTO) and IT Director for its Heath and Engineering Sector. Chris K. Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has been designing, deploying, and operating cybersecurity solutions for government and commercial clients for over 20 years, and holds a patent for e commerce technology. Abdul Aslam is the Director of Cyber Security Compliance and Risk Management for Leidos, Inc. He has 19 years of experience in devising risk acceptance and compliance frameworks, application security, security operations and information protection. 2

3 Agenda 1. How you were taught to do cyber defense in the past 2. What modern attackers do to defeat your defenses: the illusion of defense in depth 3. Why the defense methods you were taught in the past don t work against today s attackers 4. Why the frameworks you re supposed to implement may not be helpful 5. What you can do that *does* work 6. What you can expect in the future 3

4 1. Legacy Cyberdefense In the 1990s: Cyberdefense involved hardening Internet connected computers against attack. In the 2000s: Cyberdefense involved building network perimeters to protect enterprise networks from the Internet. In the 2010s: Cyberdefense is struggling to find a new paradigm for protection. 4

5 2. The Illusion of Defense in Depth Complexity does not correlate with effectiveness: You think your security is pretty good You deploy sophisticated cybersecurity technologies Yet you still get pwned Perhaps your defense in depth is not as deep as you think. 5

8 3. Why Cyberdefenses Don t Work In a complex environment: Flaws are inevitable Systems malfunction People make mistakes Therefore: Attackers can always gain a foothold, eventually Defenders don t detect the attackers on the inside Attackers eventually succeed Show me artifacts that indicate your defenses catch and stop the attacks that are occurring. 8

9 Inevitable Failure: Endpoints The reality is that endpoints are always compromised: Home PCs 1 / 10 Enterprise PCs 1 / 100 Enterprise Servers 1 / 1,000 One cause is the Inevitability of the Click : Source: Verizon 2013 Data Breach Investigations Report You can reduce these numbers but you CANNOT eliminate them. Therefore, are you detecting them when they occur? 9

13 4. The Challenge With Frameworks Major frameworks focus primarily on prevention: ISO NIST SP SANS / CSC 20 PCI NIST New Framework of 2013: Organized around the incident life cycle Unclear how to use it in a cybersecurity program Adoption is not widespread Most frameworks would rather try to prevent attacks. Few consider how (in)effective that prevention actually is. Show me artifacts that indicate your prevention is working. 13

15 5. A Pragmatic Approach Rather than strive for perfection, strive for good enough: Focus on real world attacks that are most likely to occur Repel attacks when they occur, then improve defenses Design defenses to impede the attack: Disrupt Detect Delay Defeat Many Initial Attacks Disrupt Detect Detect Delay Fewer Penetrations Delay Defeat 15

16 Pragmatic Security: Audit First Threat Analysis Audit Controls Forensic Controls Detective Controls Preventive Controls Don t try to protect everything Design Security Around the Threats: How do you search for the threat? What logs do you need to detect the threat? Can you alert when the threat occurs? Can you block the threat so it does not succeed? 16

17 Pragmatic Security: Cyber Castles We can learn from history by looking at medieval towns: Most of the productivity is in the undefended fields and village The town is lightly defended, but the castle is heavily defended To take the town, you have to control the castle Tower = Authentication Systems Castle = Security Systems Town = Business Servers Fields = Regular Users 17

20 A Successful Cybersecurity Program Characteristics More than just technologies Coordinate all of the following: Cybersecurity Policy Programmatics IT life cycle Assessment Combine to guide, build and operate a successful program Challenges Policy frameworks seldom align well with organization or assessment. Programmatic frameworks focus on business considerations, not cybersecurity IT life cycle frameworks do not support cybersecurity management or reporting Assessment frameworks do not tend to align with people organization or technology deployment 20

21 Elements of a Successful Program Requirements for a Successful Enterprise Cybersecurity Framework: Tie together architecture, policy, programmatics, IT life cycle, and assessments into a single framework Enables delegation of cybersecurity responsibilities into functional areas It needs to tie together architecture, policy, programmatics, IT life cycle, and assessments using a single framework for delegation and coordination Functional areas align well with real world skills of cybersecurity professionals, and support budgets and technologies Functional areas enable easy delegation and reporting of status at an abstraction layer suitable for executive consumption Functional Areas support the business decision making process for strategy and prioritization 21

22 Axioms for Cyberdefense Cybersecurity needs to be planned around the idea of achieving only partial security, rather than being resourced to do everything perfectly all the time. Major cybersecurity frameworks lay out what the ideal practice should be, but have little, if any, guidance on how to deploy a partial solution that is the best value for the cost when the funding is not adequate to achieve the ideal. Cybersecurity professionals must learn how to work with the business to find a balance between defenses that are only partially successfully, but effective in the eyes of the business. 22

23 Conclusion With a legacy cyber defense, the defender has to do everything perfectly to protect the enterprise. With a next generation cyber defense, the attacker has to do everything perfectly to attack it. Which would you rather have? 23

24 6. Looking to the Future Cyberattacks and defenses can be characterized as generations. We are now in the transition from Generation 2 to Generation 3. There are more generations coming after this 24

a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

Targeted Intrusion Remediation: Lessons From The Front Lines Jim Aldridge All information is derived from MANDIANT observations in non-classified environments. Information has beensanitized where necessary

terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Taking your IT security to the next level, you have to consider a paradigm shift. In the past companies mostly

Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to

Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population

Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank

Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security RETAIL EDITION #2015InsiderThreat RESEARCH BRIEF RETAIL CUSTOMERS AT RISK ABOUT THIS RESEARCH BRIEF

Disclaimer: All Information is derived from Mandiant consulting in a non-classified environment. Case Studies are representative of industry trends and have been derived from multiple client engagements.

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised

: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic

An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting

CYBER SECURITY OPERATIONS CENTRE APRIL 2013 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL REFERENCES

Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business

Testimony Statement for the Record Martin Casado, Senior Vice President Networking and Security Business Unit VMware, Inc. Before the U.S. House of Representatives Committee on Science, Space, and Technology

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

Check Point and Security Best Practices December 2013 Presented by David Rawle Housekeeping o Mobiles on Silent o No File Alarms planned o Fire exits are in front and behind and down the stairs o Downstairs

IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health

External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices

ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February